npm - @synkro-sh/cli - Versions diffs - 1.6.83 → 1.6.85 - Mend

@synkro-sh/cli 1.6.83 → 1.6.85

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/bootstrap.js CHANGED Viewed

@@ -1570,7 +1570,12 @@ export async function loadConfig(jwt: string, query?: string): Promise<HookConfi
           .filter((e: any) => e && typeof e.path === 'string')
           .map((e: any) => ({ path: e.path, cwe_id: e.cwe_id || '' }));
       }
-      return config;
+      // Trust the local result as authoritative ONLY when it actually carried a
+      // policy (or we're in local storage mode, where no cloud fallback exists).
+      // A transient empty local read (policy:null) must NOT short-circuit the
+      // gateway fallback \u2014 otherwise the grade runs ruleless and the tag flaps to
+      // "[\u2026:all:\u2026] no org rules to evaluate" on a repo that DOES have rules.
+      if (policy || isLocalStorageMode()) return config;
     }
   } catch {}
@@ -1841,6 +1846,33 @@ export function ruleFilterText(action: string, userMessage?: string | null): str
 export async function filterRules(commandText: string, allRules: Rule[]): Promise<Rule[]> {
   if (allRules.length <= 3) return allRules;
+  // Cloud: the embedding index lives server-side (the container grade path can't
+  // reach 127.0.0.1), so ask the gateway for the top-3 relevant rules \u2014 same
+  // CF/BYOK bge-base vectors, same behavior as local. Without this, cloud grades
+  // dumped EVERY rule into the prompt (9KB+), the dominant cause of grade
+  // timeouts. Any failure falls back to all rules (status quo), never blocks.
+  if (!isLocalStorageMode()) {
+    const jwt = loadJwt();
+    if (!jwt) return allRules;
+    try {
+      const resp = await fetch(GATEWAY_URL + '/api/v1/hook/filter-rules', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + jwt },
+        body: JSON.stringify({ text: commandText, top_k: 3 }),
+        signal: AbortSignal.timeout(2000),
+      });
+      if (!resp.ok) return allRules;
+      const data = await resp.json() as { rules?: Array<Record<string, unknown>> };
+      if (!data.rules || data.rules.length === 0) return allRules;
+      const selectedIds = new Set(data.rules.map(r => String(r.rule_id || '')));
+      return allRules.filter(r => selectedIds.has(r.rule_id));
+    } catch {
+      return allRules;
+    }
+  }
+  // Local: the on-device PGLite embedding index owns the rule set.
   const mcpPort = process.env.SYNKRO_MCP_PORT || '18931';
   try {
     const resp = await fetch('http://127.0.0.1:' + mcpPort + '/api/local/filter-rules', {
@@ -1852,10 +1884,7 @@ export async function filterRules(commandText: string, allRules: Rule[]): Promis
     if (!resp.ok) return allRules;
     const data = await resp.json() as { rules?: Array<Record<string, unknown>> };
     if (!data.rules || data.rules.length === 0) return allRules;
-    // Local PGLite owns the rule set \u2014 trust filter-rules output directly.
-    if (isLocalStorageMode()) return mapHookRules(data.rules);
-    const selectedIds = new Set(data.rules.map(r => String(r.rule_id || '')));
-    return allRules.filter(r => selectedIds.has(r.rule_id));
+    return mapHookRules(data.rules);
   } catch {
     return allRules;
   }
@@ -3027,7 +3056,7 @@ export async function syncConversationTranscript(
           const b = c as Record<string, unknown>;
           return {
             name: b.name,
-            input: JSON.stringify(b.input || b.arguments || {}).slice(0, 500),
+            input: JSON.stringify(b.input || b.arguments || {}).slice(0, 20000),
             id: b.id,
           };
         });
@@ -10511,6 +10540,7 @@ __export(install_exports, {
   getOrMintCloudToken: () => getOrMintCloudToken,
   installCommand: () => installCommand,
   parseArgs: () => parseArgs,
+  readFullSynkroFile: () => readFullSynkroFile,
   reconcileDeployLocation: () => reconcileDeployLocation,
   reconcileHarness: () => reconcileHarness,
   recycleCloudContainer: () => recycleCloudContainer,
@@ -10839,7 +10869,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.6.83")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.6.85")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
@@ -11956,6 +11986,7 @@ function readFullSynkroFile() {
       ruleset: parsed.ruleset || "default",
       skills: Array.isArray(parsed.skills) ? parsed.skills.filter((s) => typeof s === "string" && s.endsWith(".md")) : [],
       scanning: { cwe: parsed.scanning?.cwe !== false, cve: parsed.scanning?.cve !== false },
+      standards: parsed.standards && typeof parsed.standards === "object" ? Object.fromEntries(Object.entries(parsed.standards).filter(([k, v]) => typeof v === "string" && k.includes("/")).map(([k, v]) => [k, String(v)])) : {},
       _repoRoot: root
     };
   } catch {
@@ -14299,7 +14330,7 @@ function parseSession(filePath, sessionId) {
     const msgObj = e.message;
     const text = extractText(msgObj?.content ?? e.content);
     const blocks = kind === "assistant" && Array.isArray(msgObj?.content) ? msgObj.content : [];
-    const toolCalls = blocks.filter((b) => b?.type === "tool_use").map((b) => ({ name: b.name, input: JSON.stringify(b.input || {}).slice(0, 500), id: b.id }));
+    const toolCalls = blocks.filter((b) => b?.type === "tool_use").map((b) => ({ name: b.name, input: JSON.stringify(b.input || {}).slice(0, 2e4), id: b.id }));
     if (!text.trim() && toolCalls.length === 0) continue;
     const msg = {
       message_index: i,
@@ -14420,6 +14451,177 @@ var init_import = __esm({
   }
 });
+// cli/installer/packVerify.ts
+import crypto from "crypto";
+function stableStringify(value) {
+  if (value === null || typeof value !== "object") return JSON.stringify(value);
+  if (Array.isArray(value)) return "[" + value.map(stableStringify).join(",") + "]";
+  const obj = value;
+  const keys = Object.keys(obj).sort();
+  return "{" + keys.map((k) => JSON.stringify(k) + ":" + stableStringify(obj[k])).join(",") + "}";
+}
+function canonicalize(pack) {
+  return stableStringify({
+    rules: pack.rules ?? [],
+    docs: pack.docs ?? [],
+    manifest: pack.manifest ?? {}
+  });
+}
+function computeDigest(canonical) {
+  return "sha256:" + crypto.createHash("sha256").update(canonical, "utf8").digest("hex");
+}
+function verifySignature(digest, signatureB64, publicKeyPem) {
+  try {
+    const key = crypto.createPublicKey(publicKeyPem);
+    return crypto.verify(null, Buffer.from(digest, "utf8"), key, Buffer.from(signatureB64, "base64"));
+  } catch {
+    return false;
+  }
+}
+function verifyPack(pack, claimedDigest, signatureB64, publicKeyPem) {
+  const recomputed = computeDigest(canonicalize(pack));
+  if (recomputed !== claimedDigest) return false;
+  return verifySignature(claimedDigest, signatureB64, publicKeyPem);
+}
+var init_packVerify = __esm({
+  "cli/installer/packVerify.ts"() {
+    "use strict";
+  }
+});
+// cli/installer/lockfile.ts
+import { existsSync as existsSync18, readFileSync as readFileSync16, writeFileSync as writeFileSync11 } from "fs";
+import { join as join18 } from "path";
+function lockPath(repoRoot) {
+  return join18(repoRoot, LOCK_FILE);
+}
+function writeLockfile(repoRoot, entries) {
+  const sorted = [...entries].sort((a, b) => a.ref.localeCompare(b.ref));
+  const body = [
+    "# synkro.lock \u2014 generated by `synkro sync`. Commit this file.",
+    "# Pins each subscribed pack to its verified, attested digest.",
+    "",
+    ...sorted.flatMap((e) => [
+      "[[pack]]",
+      `ref = "${e.ref}"`,
+      `version = "${e.version}"`,
+      `digest = "${e.digest}"`,
+      `signature = "${e.signature}"`,
+      `signing_key_id = "${e.signingKeyId}"`,
+      ""
+    ])
+  ].join("\n");
+  writeFileSync11(lockPath(repoRoot), body, "utf-8");
+}
+var LOCK_FILE;
+var init_lockfile = __esm({
+  "cli/installer/lockfile.ts"() {
+    "use strict";
+    LOCK_FILE = "synkro.lock";
+  }
+});
+// cli/commands/sync.ts
+var sync_exports = {};
+__export(sync_exports, {
+  syncCommand: () => syncCommand
+});
+import { existsSync as existsSync19, mkdirSync as mkdirSync12, readdirSync as readdirSync6, rmSync as rmSync2, writeFileSync as writeFileSync12 } from "fs";
+import { homedir as homedir18 } from "os";
+import { join as join19 } from "path";
+function cacheKey(ref, version) {
+  return ref.replace(/\//g, "__").replace(/[^\w.@-]/g, "_") + "@" + version + ".json";
+}
+async function syncCommand(_args = []) {
+  const sf = readFullSynkroFile();
+  if (!sf) {
+    console.error("No synkro.toml found in the repo root. Run `synkro install` first.");
+    process.exitCode = 1;
+    return;
+  }
+  const refs = Object.entries(sf.standards);
+  if (refs.length === 0) {
+    console.log("No [standards] subscriptions in synkro.toml \u2014 nothing to sync.");
+    return;
+  }
+  await ensureValidToken();
+  const token = getAccessToken();
+  if (!token) {
+    console.error("Not logged in. Run `synkro login` and try again.");
+    process.exitCode = 1;
+    return;
+  }
+  const gateway = (process.env.SYNKRO_GATEWAY_URL || "https://api.synkro.sh").replace(/\/$/, "");
+  const cloud = process.env.SYNKRO_DEPLOY_LOCATION === "cloud";
+  const cacheDir = join19(homedir18(), ".synkro", "cache", "packs");
+  if (!cloud) mkdirSync12(cacheDir, { recursive: true });
+  console.log(`Syncing ${refs.length} standard(s) from the registry\u2026`);
+  const lock = [];
+  const keptCacheFiles = /* @__PURE__ */ new Set();
+  for (const [ref, version] of refs) {
+    let url = `${gateway}/api/v1/registry/resolve?ref=${encodeURIComponent(ref)}`;
+    if (version && version !== "latest") url += `&version=${encodeURIComponent(version)}`;
+    let data;
+    try {
+      const resp = await fetch(url, { headers: { Authorization: `Bearer ${token}` } });
+      if (!resp.ok) {
+        console.error(`  \u2717 ${ref}: resolve failed (${resp.status} ${resp.statusText})`);
+        continue;
+      }
+      data = await resp.json();
+    } catch (err) {
+      console.error(`  \u2717 ${ref}: ${err.message}`);
+      continue;
+    }
+    const pack = { rules: data.rules ?? [], docs: data.docs ?? [], manifest: data.manifest ?? {} };
+    if (!verifyPack(pack, data.digest, data.signature, data.publicKey)) {
+      console.error(`  \u2717 ${ref}: signature/digest verification FAILED \u2014 refusing to apply.`);
+      continue;
+    }
+    lock.push({ ref, version: data.version, digest: data.digest, signature: data.signature, signingKeyId: data.signingKeyId });
+    if (!cloud) {
+      const fname = cacheKey(ref, data.version);
+      keptCacheFiles.add(fname);
+      writeFileSync12(join19(cacheDir, fname), JSON.stringify({
+        ref,
+        version: data.version,
+        digest: data.digest,
+        rules: pack.rules,
+        docs: pack.docs,
+        manifest: pack.manifest
+      }), "utf-8");
+    }
+    const ruleCount = Array.isArray(pack.rules) ? pack.rules.length : 0;
+    console.log(`  \u2713 ${ref}:${data.version} \u2014 verified (${ruleCount} rule${ruleCount === 1 ? "" : "s"})`);
+  }
+  if (!cloud && existsSync19(cacheDir)) {
+    for (const f of readdirSync6(cacheDir)) {
+      if (f.endsWith(".json") && !keptCacheFiles.has(f)) {
+        try {
+          rmSync2(join19(cacheDir, f));
+        } catch {
+        }
+      }
+    }
+  }
+  if (lock.length > 0) {
+    writeLockfile(sf._repoRoot, lock);
+    console.log(`Wrote synkro.lock (${lock.length} pack${lock.length === 1 ? "" : "s"} pinned).`);
+  } else {
+    console.error("No packs synced successfully.");
+    process.exitCode = 1;
+  }
+}
+var init_sync = __esm({
+  "cli/commands/sync.ts"() {
+    "use strict";
+    init_install();
+    init_stub();
+    init_packVerify();
+    init_lockfile();
+  }
+});
 // cli/commands/lifecycle.ts
 var lifecycle_exports = {};
 __export(lifecycle_exports, {
@@ -14532,13 +14734,13 @@ var config_exports = {};
 __export(config_exports, {
   configCommand: () => configCommand
 });
-import { readFileSync as readFileSync16, writeFileSync as writeFileSync11, existsSync as existsSync18 } from "fs";
-import { join as join18 } from "path";
-import { homedir as homedir18 } from "os";
+import { readFileSync as readFileSync17, writeFileSync as writeFileSync13, existsSync as existsSync20 } from "fs";
+import { join as join20 } from "path";
+import { homedir as homedir19 } from "os";
 function readConfigEnv2() {
-  if (!existsSync18(CONFIG_PATH6)) return {};
+  if (!existsSync20(CONFIG_PATH6)) return {};
   const out = {};
-  for (const line of readFileSync16(CONFIG_PATH6, "utf-8").split("\n")) {
+  for (const line of readFileSync17(CONFIG_PATH6, "utf-8").split("\n")) {
     const t = line.trim();
     if (!t || t.startsWith("#")) continue;
     const eq = t.indexOf("=");
@@ -14547,11 +14749,11 @@ function readConfigEnv2() {
   return out;
 }
 function updateConfigValue(key, value) {
-  if (!existsSync18(CONFIG_PATH6)) {
+  if (!existsSync20(CONFIG_PATH6)) {
     console.error("No config found. Run `synkro install` first.");
     process.exit(1);
   }
-  const lines = readFileSync16(CONFIG_PATH6, "utf-8").split("\n");
+  const lines = readFileSync17(CONFIG_PATH6, "utf-8").split("\n");
   const pattern = new RegExp(`^${key}=`);
   let found = false;
   const updated = lines.map((line) => {
@@ -14562,7 +14764,7 @@ function updateConfigValue(key, value) {
     return line;
   });
   if (!found) updated.splice(updated.length - 1, 0, `${key}='${value}'`);
-  writeFileSync11(CONFIG_PATH6, updated.join("\n"), "utf-8");
+  writeFileSync13(CONFIG_PATH6, updated.join("\n"), "utf-8");
 }
 async function reconcileContainer() {
   const cfg = readConfigEnv2();
@@ -14672,20 +14874,20 @@ var init_config = __esm({
   "cli/commands/config.ts"() {
     "use strict";
     init_stub();
-    SYNKRO_DIR7 = join18(homedir18(), ".synkro");
-    CONFIG_PATH6 = join18(SYNKRO_DIR7, "config.env");
+    SYNKRO_DIR7 = join20(homedir19(), ".synkro");
+    CONFIG_PATH6 = join20(SYNKRO_DIR7, "config.env");
   }
 });
 // cli/bootstrap.js
-import { readFileSync as readFileSync17, existsSync as existsSync19 } from "fs";
+import { readFileSync as readFileSync18, existsSync as existsSync21 } from "fs";
 import { resolve as resolve3 } from "path";
 var envCandidates = [
   resolve3(process.env.HOME ?? "", ".synkro", "config.env")
 ];
 for (const envPath of envCandidates) {
-  if (!existsSync19(envPath)) continue;
-  const envContent = readFileSync17(envPath, "utf-8");
+  if (!existsSync21(envPath)) continue;
+  const envContent = readFileSync18(envPath, "utf-8");
   for (const line of envContent.split("\n")) {
     const trimmed = line.trim();
     if (!trimmed || trimmed.startsWith("#")) continue;
@@ -14700,7 +14902,7 @@ var args = process.argv.slice(2);
 var cmd = args[0] || "";
 var subArgs = args.slice(1);
 function printVersion() {
-  console.log("1.6.83");
+  console.log("1.6.85");
 }
 function printHelp2() {
   console.log(`Synkro CLI \u2014 runtime safety for AI coding agents
@@ -14779,6 +14981,11 @@ async function main() {
       await importCommand2();
       break;
     }
+    case "sync": {
+      const { syncCommand: syncCommand2 } = await Promise.resolve().then(() => (init_sync(), sync_exports));
+      await syncCommand2(subArgs);
+      break;
+    }
     case "version":
     case "--version":
     case "-v": {